Facebook image

NIS2 Advisory

During our NIS2 advisory services we support your company in preparing to comply with the NIS2 Directive ensuring your company will be ready to meet the cybersecurity regulations.

Do you have any question?
Don't hesitate to contact us!

Zoltán Balogh

IT audit manager

Ádám Mosonyi

Partner, HCA

Phone

What is NIS2?

The NIS2 Directive (NIS2 Directive - Network and Information Systems Directive 2) marks a new milestone in cybersecurity. NIS2 establishes a unified high-level cybersecurity framework across the European Union aimed at strengthening the preparedness of member states and affected organizations to defend against cyber threats.

Cybersecurity is one of the most critical challenges today and the NIS2 Directive is a key step in protecting digital infrastructure.

The NIS2 Directive requires organisations providing essential or digital services to comply with stringent cybersecurity requirements and inform national authorities of cybersecurity incidents.

During RSM's NIS2 advisory services our experienced IT audit specialists - as part of our audit business line - support your preparation to comply with the NIS2 Directive requirements helping your company meet cybersecurity standards.

NIS2 – who falls within the scope?

The NIS2 Directive does not apply directly to Hungarian companies but EU Member States including Hungary must integrate it into their own national legal systems.

In Hungary the implementation centers on the Cybersecurity Act (Act LXIX of 2024),the Decree No. 418/2024. (XII. 23.) and the supervisory authority (SZTFH). The Cybersecurity Act describes in detail the national regulations of cybersecurity certification and supervision while the authority’s role is to monitor compliance with cybersecurity regulations.

The companies affected by NIS2 are regulated in Annexes II and III of the Cybersecurity Act which lists critical sectors covered by the act the act.

Based on size criteria the regulation applies only to medium-sized and large companies with at least 50 employees or a revenue of 10 million euros.

Size rules do not apply to electronic communications trust DNS service providers top-level domain name registrars or domain name registration service providers.

NIS2 critical sectors, NIS2 highly critical sectors

Under Act LXIX of 2024 organisations operating in critical sectors are required to implement several security measures which are defined in a decree by the minister responsible for IT.

NIS2 involved - NIS2 Calculator

With RSM’s NIS2 calculator you can check your company’s NIS2 involvement.

Check your nis2 involvement with the help of the rsm's nis2 calculator!

Compliance with the NIS2 directive - how can RSM help?

During RSM's NIS2 advisory services our experienced IT audit specialists support your preparation to comply with the requirements of the NIS2 Directive which helps your company to meet cybersecurity requirements.

In relation to RSM’s NIS2 advisory we provide the following services:

GAP analysis:

  • We assess the current operational status of your organization.
  • We identify the differences between your current status and regulatory requirements.
  • We prepare a detailed report on the identified cybersecurity deficiencies.

NIS2 advisory:

  • We assess the current cybersecurity status of the organization.
  • We identify the differences.
  • We assess relevant IT risks.
  • We prepare a risk-based action plan to correct deficiencies.

NIS2 Preparation:

  • Security classification
  • GAP analysis
  • Risk assessment and treatment action plan
  • NIS2 compliant policies
  • Awareness trainings
  • Audit support

NIS2 Services

What are the NIS2 requirements?

Act LXIX of 2024 aims to keep pace with digital transformation and ensure the security of electronic information systems and their physical environments.

The requirements for NIS2-affected organizations are as follows:

1. Registration:

Based on the previous law, the affected organizations had to register from January 1, 2024. Organizations that commenced operations before 1 January 2024 were required to register until 30 June 2024. For all other organizations a 30-day registration deadline applies in accordance with the Cybersecurity Act.

2. Security classification of electronic information systems:

Affected organizations must classify their electronic information systems into appropriate security classes.

3. Obligation to pay supervisory fees and implement appropriate protective measures.

4. Contract with an auditor:

Affected organizations must sign a contract with a selected NIS2 auditor.

NIS2 deadlines - what to pay attention to?

  • Until 30 June 2024: All organizations affected by NIS2 had to self-identify and apply for registration by completing the SZTFH 420 form. New companies have 30 days after becoming subject of the Act to submit an application.
  • From 18 October 2024: Organizations affected by NIS2 should implement security measures in accordance with the appropriate security class of their electronic information systems and pay the supervisory fee to SZTFH.
  • The Act LXIX of 2024 within 120 days after registration, a contract must be concluded with an accredited audit organization listed on the SZTFH website.
  • Until 15 February 2025: All organizations that registered to the authority must report the list of EU member states where the organization provides services.
  • Until 31 December 2025: For those organizations which started their activities before 01.01.2025, the selected auditor conducts the first cybersecurity audit. In the case of all other organizations, two years are available for this based on the Act LXIX of 2024.

NIS2 deadlines

NIS2 sanctions in case of non-compliance with cybersecurity regulations

If an organization under the NIS2 Directive does not meet the requirements of the NIS2 Directive in Hungary it may face significant financial consequences.

For companies providing key services fines can reach 10 million euros or 2% of annual global revenue while for organizations providing important services this amount can be 7 million euros or 1.4% of the previous year's revenue.

The extent of cybersecurity fines and detailed related rules for non-compliancy to the Cybersecurity Act and other Hungarian NIS2 regulations are determined in Appendix III of Decree no. 418/2024. The affected organisation must pay the NIS2 fines within 8 days, and in the case of multiple violations, the penalty is maximised to the sum of maximum fines that can be imposed of the non-compliancies. The fine may be reimposed after the deadline has expired.

If the company does not comply with the requirements of NIS2 set out in the Cybersecurity Act, the certifying authority warns the organisation to correct the deficiency by a deadline. If the organisation still does not meet the requirements after the deadline, the authority may impose a penalty appropriate to the degree of irregularity and may be repeated in case of subsequent non-compliance. Compliance with the regulations is supervised by SZTFH. The aim is to ensure that organizations operating critical infrastructure are better prepared for cyber threats and take timely steps to ensure compliance. Therefore it is crucial for companies to start implementing the necessary measures now.

MORE INFORMATION


    If you have any question, please don't hesitate to contact our experts!

    Contact our expert directly or send us an offer request!

    Our professionals regularly publish specialist material